By /

28007 vs. 28000: Differences and Similarities

There are increasing threats to supply chains and maritime operations – piracy, theft, intrusion, terrorism, organised crime, regulatory complexity, organisations must adopt security management systems. Two standards that frequently arise are ISO 28000 and ISO 28007-1. Although they share a common lineage and overlap in intent, they have distinct scopes, audiences and requirements. For organisations deciding whether to adopt one, both, or integrate them, understanding their relationship is critical.

If your organisation is involved in supply chain security broadly, or more specifically maritime private security services (such as privately contracted armed security personnel on board ships), then clarity on which standard applies and how they interplay is essential.

What is ISO 28000? – The foundation

Scope & Purpose

ISO 28000 is a generic security management system (SMS) standard for organisations, especially in supply chain environments. According to one summary: it is a risk-based quality management system for the security of operations and activities conducted by organisations.

Originally published in 2007 as “Specification for security management systems for the supply chain” (ISO 28000:2007) and revised later (e.g., ISO 28000:2022) to align with management system schemes using the common Annex SL structure.

Key features

  • It uses the high-level structure (HLS) of management systems: Context of organisation, Leadership, Planning, Support, Operation, Performance evaluation, Improvement.
  • Applicable to any size or type of organisation, and not limited to maritime operations. The standard states that while originally targeted at supply chains, post-2022 revision it can apply across the organisation.
  • Focus is on security risk management: identifying stakeholders, threats, vulnerabilities; implementing controls; measuring and improving.
  • Benefits include improved resilience, enhanced brand credibility, systematised management practices and integration with other management systems.

Why organisations adopt ISO 28000

  • It gives a framework for security management across the supply-chain, covering inbound/outbound logistics, warehouses, transport, storage, etc.
  • Increasing customer and regulator expectation for security systems, certification to ISO 28000 helps signal maturity.
  • Enables alignment with other management systems (ISO 9001, ISO 14001, ISO 22301 etc) by using the HLS structure.
  • Helps organisations manage non-traditional risks (security incidents, supply-chain disruption) in a structured way.

What is ISO 28007-1? (or ISO 28007) – The sector-specific extension

Scope & Purpose

ISO 28007-1 (often referred to simply as ISO 28007) is a sector-specific standard that builds on ISO 28000 to provide guidance (and requirements) specifically for Private Maritime Security Companies (PMSCs) that provide Privately Contracted Armed Security Personnel (PCASP) on board ships.

For example, the International Maritime Organization (IMO) notes that ISO 28007-1 was developed to address the lack of agreed minimum performance standards for PCASP operations.

Key features

  • It is designed to be applied by organisations that are already conformant with ISO 28000 – in other words, it assumes the base framework of ISO 28000 is in place, and then adds maritime-specific guidance and controls.
  • Covers maritime security management controls, including those unique to armed guards aboard vessels, shipping operations in high-risk areas (HRA), legal/regulatory regimes for carriage of firearms, selection/training of personnel, subcontractors, incident management and human rights considerations.
  • It adds “additional sector specific requirements” for PMSCs rather than being a wholly new generic standard.
  • For example, ISO 28007-1:2015 is the version that replaced the earlier ISO/PAS 28007:2012.

Why organisations adopt ISO 28007

  • For PMSCs operating on vessels, especially in piracy-risk zones (Indian Ocean, Gulf of Guinea, etc), certification to ISO 28007 in conjunction with ISO 28000 demonstrates a high level of governance, competence and compliance to customers (shipping companies, charterers) and regulators.
  • It provides a competitive differentiator: being able to show that you meet sector-specific security management standards above generic ones.
  • It helps manage the legal/regulatory complexity around armed security personnel aboard ships (concern over use of force, liability, jurisdiction). The standard is aligned with IMO guidance.

Need help with ISO 28007? Chat with us for a quick review!

Similarities between ISO 28000 & ISO 28007-1

FeatureApplies to both
Management system approachBoth adopt a structured SMS framework (policy → planning → operation → review → improvement)
Risk-based thinkingBoth require identification of threats, vulnerabilities, context of organisation and stakeholders
Continual improvementBoth expect monitoring, measurement, internal audit, corrective/preventive action
Certification potentialBoth can be subject to external audit and certification (especially ISO 28000; ISO 28007 often as an extension)
Supply chain/security overlapBoth address aspects of security: supply chain flows, physical transport, logistics, maritime security

In short, ISO 28007-1 does not replace ISO 28000, rather it extends or overlays it for the specific maritime PMSC context. Many of the fundamentals (leadership, planning, context, resources, competence, communication, performance evaluation) come from ISO 28000.

Key Differences – What sets them apart

Here are the main areas where ISO 28007-1 diverges from (or builds on) ISO 28000:

  1. Scope / Applicability
    • ISO 28000: Generic — can be applied by any organisation concerned with security management, supply chain or otherwise.
    • ISO 28007-1: Specific — applies to PMSCs providing PCASP aboard ships. It is maritime-sector-specific.
  2. Baseline vs Sector Extension
    • ISO 28000 acts as the “baseline” SMS standard for security management.
    • ISO 28007-1 acts as a “sector specific” overlay: assumes ISO 28000 is already met (or being implemented) and then adds controls, guidance and requirements unique to the maritime private security environment.
  3. Operational Controls
    • ISO 28000 addresses controls relevant to supply chain security, logistics, infrastructure, movable assets etc at a general level.
    • ISO 28007-1 addresses matters such as armed guard deployment, rules of engagement, embarkation/disembarkation of PCASP, legal/regulatory compliance for weapons, incident response aboard ship, subcontractor management in maritime operations. For example it emphasises selection and ongoing competence of personnel.
  4. Regulatory / Legal Focus
    • ISO 28000 is less focused on specific legal regimes; it addresses legal and regulatory requirements in a generic way (the organisation must consider its legal obligations).
    • ISO 28007-1 emphasises maritime-specific legal/regulatory regimes including flag state/port state laws regarding armed security personnel, jurisdiction, liability, UN Guiding Principles on Business and Human Rights.
  5. Certification / Implementation Pathway
    • Organisations may seek certification to ISO 28000 alone.
    • For ISO 28007-1, the typical pathway is ISO 28000 certification plus adherence or certification to ISO 28007-1 (or meeting its requirements). Some certification bodies treat ISO 28007-1 as an extension or “additional requirements” standard.
  6. Context of Use
    • ISO 28000 is used broadly across industries, supply chains, multimodal transport, warehousing, manufacturing, logistics.
    • ISO 28007-1 is used by PMSCs, shipping companies contracting PCASP, high-risk maritime transits, piracy-vulnerable routes.

Why this distinction matters (and for whom)

For companies in supply chain/transport/logistics

If you are a logistics provider, transport operator, warehouse operator or manufacturing firm concerned about security of goods in transit, the primary standard to consider is ISO 28000. It is broad, applicable and provides a strong security management system framework.
If you do not engage in maritime armed security activities, ISO 28007-1 is likely not relevant.

For private maritime security companies (PMSCs) or shipping companies contracting PCASP

Here, the distinction is critical. If your organisation provides private armed security personnel on board ships, then ISO 28007-1 provides the sector-specific additional guidance. However you will still base yourself on ISO 28000 fundamentals.
If you simply hold ISO 28000 certification, you cover the management system aspect but you may lack the maritime-specific controls demanded by shipping companies, regulators and flag states. ISO 28007-1 helps fill that gap.

For auditors/consultants/training providers

Understanding the relationship between ISO 28000 and ISO 28007-1 helps tailor consultancy, gap analyses, training content. For example when training a PMSC you would teach ISO 28000 fundamentals (risk management, leadership, planning, etc) and then add ISO 28007-1 modules (PCASP operations, human rights, legal framework for firearms).

For clients/customers of PMSCs

Shipping companies contracting PMSCs may require that the PMSC holds certification to both ISO 28000 and ISO 28007-1 (or equivalent verified compliance). This gives assurance of management system capability plus domain-specific competence.

Integration & Implementation – How to use them together

Here are steps or tips for an organisation that wishes to implement both (or evaluate which applies):

  1. Gap analysis
    • Map your existing security management system against ISO 28000 requirements.
    • If you are a PMSC, then overlay ISO 28007-1 requirements: review where maritime/PCASP-specific controls are present or lacking.
    • Example: Are your armed personnel selected, trained, competent? Are there documented rules of engagement? Are legal/regulatory regimes considered? Are subcontractors managed? These are ISO 28007-1 specific.
  2. Leadership commitment & scope definition
    • Under ISO 28000 you must define the scope of your SMS (which parts of organisation, which supply chain flows).
    • If using ISO 28007-1, define scope to include maritime operations, PCASP activities, high risk areas (HRA), vessel types, subcontractors.
  3. Context, stakeholders and risk assessment
    • ISO 28000: Determine internal/external issues, interested parties, their requirements, identify security risks that might compromise supply chain, operations, assets.
    • ISO 28007-1: Additional context — vessel transit in HRA, armed security personnel use, legal/regulatory overlay, maritime stakeholders (shipowner, charterer, port/flag state, insurers).
  4. Operational controls and implementation
    • Under ISO 28000 you implement controls across operations (transport, storage, access control, personnel, information).
    • Under ISO 28007-1 you implement maritime/PCASP-specific controls: for example, procedures for embarkation/disembarkation of PCASP, documentation of firearm carriage, training & competence of armed guards, rules of engagement, subcontractor oversight, incident response aboard vessels.
  5. Performance evaluation & improvement
    • Use internal audits, management review, monitoring and measurement (ISO 28000).
    • For ISO 28007-1, ensure audits cover the maritime/PCASP-specific scope: e.g., are armed personnel competencies current? Are incident reports reviewed and lessons learned? Are subcontractors audited? Are all legal/regulatory obligations met?
  6. Certification strategy
    • Decide if you will seek certification to ISO 28000 alone, or both ISO 28000 + ISO 28007-1.
    • If seeking both, ensure your certification body can audit the sector-specific extension. Some certification bodies may issue a joint certificate or a base certificate with an extension endorsement.
  7. Communication and stakeholder assurance
    • Use your certification(s) as evidence of security management maturity. For PMSCs, being able to show ISO 28007-1 in addition to ISO 28000 may help win contracts with shipping companies, charterers, insurers and port/flag states.

Looking for a ISO consulting services? Get you free quote and initial advice on implementing ISO 28007! 

Practical considerations for UK businesses and beyond

Given you work in the UK and in consultancy (and for clients such as manufacturing, engineering, logistics etc) this section highlights practical tips:

  • UK accredited certification bodies: In the UK, the United Kingdom Accreditation Service (UKAS) provides guidance for certification bodies certifying PMSCs against ISO 28000/ISO 28007-1.
  • If your organisation is not directly in the maritime sector or deploying armed security personnel, you may not need ISO 28007-1. For example your focus might be ISO 28000 only (or integrated with other management systems).
  • For maritime operations in high risk areas, maritime clients may demand ISO 28007-1 compliance. So if you are a security consultancy servicing that niche, understanding both is key.
  • Implementation resource: You might use the fact that ISO 28007-1 adds “additional sector-specific requirements” for PMSCs that are already ISO 28000 certified.
  • In your consultancy role (e.g., for clients needing certification, or for clients in security, logistics or supply chain) you can position ISO 28000 as the foundation, and ISO 28007-1 as the specialist overlay for maritime armed security.
  • Train internal auditors accordingly: For ISO 28007-1 you will need staff familiar with maritime operations, PCASP issues, rules of engagement, legal/regulatory compliance for weapon carriage, subcontractor oversight, etc.
  • Consider how your organisation’s scope, operations and risk profile match the standards: If you are not in maritime or armed guard operations, ISO 28007-1 may not be relevant and you risk over-engineering. Better to focus on ISO 28000 + possibly other applicable standards (e.g., ISO 22301 business continuity, ISO 45001 occupational health & safety) rather than adopting a specialised maritime standard.
  • For marketing and business development: If you hold or help clients obtain ISO 28007-1, emphasise the niche maritime security competence; if you hold ISO 28000, emphasise supply chain security and broader organisational security management.

When NOT to use ISO 28007-1 (and when ISO 28000 alone suffices)

  • If your organisation does not provide privately contracted armed security personnel on board ships, or operate in high-risk maritime environments, then the additional requirements of ISO 28007-1 will likely be irrelevant (and possibly costly).
  • If your operations are land-based supply chain, warehousing, logistics, manufacturing, with no maritime or armed security component, focus on ISO 28000 (or even other standards more relevant to your niche).
  • If you are early in your security management maturity journey, it may make sense to implement ISO 28000 first, build your system, then consider specialised extensions.
  • Ensure that the certification body you choose is competent to audit maritime/PCASP operations if you choose ISO 28007-1. Not all certification bodies specialise in that niche.

Key Take-aways: Summary Table

StandardScopeAudienceKey Controls FocusRelationship to the other
ISO 28000Generic security management system for supply chain/security across any organisationAny organisation with security/supply-chain concernsRisk assessment, security controls, leadership, planning, support, operation, performance, improvementFoundation standard; other sector-specific standards may build on it
ISO 28007-1Sector-specific guidance/requirements for PMSCs providing privately contracted armed security personnel on board shipsPrivate maritime security companies, shipping industry suppliers to high risk maritime zonesArmed guard deployment, PCASP procedures, legal/regulatory compliance for firearms, maritime context, incident management aboard vesselsAn overlay/extension of ISO 28000 — assumes ISO 28000 system in place and adds maritime specifics

Implications for Your Consultancy & Clients

Given your role (consulting on ISO certifications, security management, supply chain, logistic firms, manufacturing, etc), here’s how you might position your services:

  • For manufacturing, engineering, construction, recycling, IT, logistics clients: emphasise ISO 28000 implementation as part of an integrated security/risk management suite (especially if they have logistics and supply-chain operations).
  • If you have clients in maritime logistics, shipping, offshore, or private security, then you may support them with ISO 28000 + ISO 28007-1 gap analysis, implementation and certification readiness.
  • Develop training/awareness modules specific for ISO 28007-1 if you serve PMSCs or maritime clients: e.g., modules on PCASP competence, legal/regulatory landscape for maritime armed security, contract management with ship-owners, high-risk area transits, incident management aboard ships.
  • Use the differentiation: many organisations may know ISO 28000; fewer have deep understanding of ISO 28007-1 — so you can position niche expertise here.
  • For your blog, whitepapers, marketing collateral: emphasise the distinction and interplay — “ISO 28000 gives you the foundational SMS; ISO 28007-1 gives you the maritime-armed-guard overlay”.
  • For clients already certified to ISO 28000 but operating in maritime/PCASP field: offer audits or gap assessments to extend or integrate ISO 28007-1 requirements.
  • Remember cost-benefit: For clients not in maritime armed-guard domain, engaging in ISO 28007-1 may introduce unnecessary overhead — help them make informed decisions.

Common Pitfalls & Considerations

  • Assuming ISO 28007-1 substitutes ISO 28000: It does not. It assumes a robust ISO 28000 base or equivalent security management system.
  • Underestimating legal/regulatory complexity: Especially with PCASP operations, the legal/regulatory regime for countries/flag states is complex. ISO 28007-1 expects that organisations consider those obligations. Failure to do so risks non-compliance.
  • Certification body selection: Some certification bodies may not have maritime/PCASP auditing competence. Make sure the auditor is experienced in maritime security context. UKAS guidance states special considerations for certification bodies certifying private maritime security companies under ISO 28007-1.
  • Scope creep: For organisations not in maritime armed guard domain, including ISO 28007-1 may lead to overwhelming or irrelevant controls. Keep scope aligned with operations.
  • Integration with other management systems: Both standards benefit from integration with other management systems (quality, environment, business continuity). But remember that sector‐specific standards may require additional resources/training.
  • Maintaining competence: Particularly for maritime/PCASP operations, ongoing competence of personnel, awareness of VRAs (vessel risk assessments), subcontractor oversight, audit trails are critical. ISO 28007-1 emphasises this.
  • High-risk area (HRA) context: Many PMSCs operate in HRAs (Indian Ocean, Gulf of Guinea). ISO 28007-1 is geared to such scenarios. Using the standard without understanding the HRA context can lead to gaps.

Conclusion

In conclusion, when comparing ISO 28000 vs ISO 28007-1:

  • Use ISO 28000 as your foundation standard for security management systems across supply chain, transport, logistics and broader organisational operations.
  • Use ISO 28007-1 as the sector-specific overlay when you are in the maritime private security domain (PMSCs, PCASP operations).
  • Both standards share common features (management system structure, risk-based approach, continual improvement), but they differ substantially in scope, depth of operational controls, legal/regulatory emphasis and audience.
  • For your consultancy business, being able to articulate this distinction clearly will help you guide clients appropriately: avoid over-engineering for those who don’t need maritime armed-guard controls, and ensure those who do need them understand not just the ISO 28000 structure, but the additional maritime requirements.
  • Ultimately, implementing either (or both) standards effectively contributes to stronger security governance, improved stakeholder confidence, risk reduction and competitive market positioning.

Take the Next Step

Strengthen your Security Management System with our expert guidance:


About Us 

Candy Management Consultants has guided UK businesses through stress-free ISO certifications since 2017. Our 100% first-pass success rate comes from tailoring frameworks to your operations and personalised approach – not checklists, at fixed day rates, transparent per-project contracts and with the help of the modern ISO management software.

Get A FREE Quote Now!
close slider

Scroll to Top